Apache2 conf file with SSL causes ERR_CONNECTION_REFUSED - apache

I am trying to configure my SSL certificate on a Ubuntu 15.10 box. I have installed the certificate files and the private key in the required directory:
SSLCertificateFile /etc/apache2/ssl-certs/pts.crt
SSLCertificateKeyFile /etc/apache2/ssl-certs/msk.key
SSLCertificateChainFile /etc/apache2/ssl-certs/intermediate.crt
When I do sudo service apache2 restart I am then prompted to Enter passphrase for SSL/TLS keys for www.mydomain.com:443 (RSA): ******** and since this process reports back with no errors, I am assuming that I have at least installed the certificates and private key correctly, otherwise I would have expected an error at this stage.
My problem is that I receive ERR_CONNECTION_REFUSED when trying to load the site.
Here is my backup copy of the VirtualHost entry for the SSL site that I am using. Are there any obvious problems with this file?
I should also add that when I use this configuration, not only does the intended site fail to load, but it also causes all other sites for this apache2 box to fail to load also. Any ideas?
`<VirtualHost *:80>
ServerName mydomain.com
ServerAlias www.mydomain.com
ServerAdmin daniel#mydomain.com
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost 172.30.30.21:443>
ServerName www.mydomain.com
ServerAlias mydomain.com
ServerAdmin me#mydomain.com
SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/apache2/ssl-certs/pts.crt
SSLCertificateKeyFile /etc/apache2/ssl-certs/msk.key
SSLCertificateChainFile /etc/apache2/ssl-certs/intermediate.crt
DocumentRoot /home/apts/Dropbox/mydomain.com/
<Directory /home/apts/Dropbox/mydomain.com/>
<IfModule mod_rewrite.c>
<IfModule mod_ssl.c>
# <Location /squirrelmail>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
# </Location>
</IfModule>
</IfModule>
SSLOptions +StrictRequire
Options +FollowSymLinks -Indexes +MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLVerifyClient none
SSLProxyEngine off
</VirtualHost>`

Related

Set up an apache reverse proxy with SSL certs and multiple domains

I need help configuring Apache to act as a reverse proxy with https and multiple domains, such that www.myfirstdomain.com and www.myseconddomain.com both point to x.x.x.x and than the server will selectively forward to, let's say, x.x.x.x:2400 (myfirstdomain.com, http), x.x.x.x:2401 (myfirstdomain.com, https), x.x.x.x:2600 (myseconddomain.com, http) and x.x.x.x:2601 (mysecondomain.com, https).
I tried many options but in the end I got stuck because I issued more than 5 certs (renews) per week and also I couldn't make it work.
myfirstdomain.com and www.myfirstdomain.com (http and https) were configured as follows:
/etc/apache2/sites-available/000-default.conf :
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:2400/
ProxyPassReverse / http://127.0.0.1:2400/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:2401/
ProxyPassReverse / http://127.0.0.1:2401/
</VirtualHost>
<VirtualHost *:2400>
ServerName myfirstdomain.com
ServerAlias www.myfirstdomain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/myfirstdomain/public
<Directory /var/www/html/myfirstdomain/public>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =myfirstdomain.com
RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteCond %{SERVER_NAME} =www.myfirstdomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:2401>
ServerName myfirstdomain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/myfirstdomain/public
<Directory /var/www/html/myfirstdomain/public>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =myfirstdomain.com
RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Then I generated the certs with certbot --apache for both www and non-www and I had this file:
/etc/apache2/sites-available/000-default-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:2401/
ProxyPassReverse / http://127.0.0.1:2401/
</VirtualHost>
<VirtualHost *:2401>
ServerName myfirstdomain.com
ServerAlias www.myfirstdomain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/myfirstdomain/public
<Directory /var/www/html/myfirstdomain/public>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{SERVER_NAME} =myfirstdomain.com
# RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
# RewriteCond %{SERVER_NAME} =www.myfirstdomain.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/www.myfirstdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.myfirstdomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
I also tried to regenerate the HTTPS certificates but it won't work. How do I do it?
First of all, remember that Apache listens on a range of ports, for instance 80 and 443.
Virtualhosts use the same ports (80 and 443) and Apache selects the correct folder using the domain name you use.
For example, myfirstdomain.com could display /var/www/html/myfirstdomain/public, but
if apache listens on port 80, it never match the rule for *:2400.
I haven't tryed this, but you could put ProxyPass and ProxyPassReverse in each virtual hosts and leave the port to :80 or :443.
When you call myfirstdomain.com:80, the rule on apache match and it executing proxing to another server.
See this answer.
LetsEncrypt create an ACME challenge (a file with a random string) that could be reachable from the internet. The Certification Server search this file, if exists the certificate is released; if not, it throw an error.
I don't remember the correct pathof the file, but you must verify:
can you reach "myfistdomain.com" from the internet?
an external server can reach "myfistdomain.com" ? (check dns name and port forwarding of your router
can you open the ACME challenge file?
can the server open the ACME challenge file?
On some Plesk installations acme files cannot be reacheable because Plesk adds some automatic rules.

SSL Certificate error in Apache 2.4 ending to gitlab domain.com/users/sign_in

I am facing a problem of certificate SSL.
I have a dedicated host, and I cannot get what I am missing to receive the error by navigator:
Chrome:
NET::ERR_CERT_COMMON_NAME_INVALID
Mozilla:
SSL_ERROR_BAD_CERT_DOMAIN
Messages in browser are quite similar:
Impossible to verify from server that it is truly domain: site2.com, because its certif of security come from *.sub.site1.com. It may come from a bad config or connection getting catch by pirate. (translated message)
So it seems that the certificate is not taken while it goes threw vitrual box:
<VirtualHost *:80>
ServerName www.site2.com
ServerAlias site2.com
Redirect permanent / https://site2.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.site2.com
ServerAlias site2.com
DocumentRoot /var/www/site2
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.site2.com'">
Redirect permanent / https://site2.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/site2-error.log
CustomLog ${APACHE_LOG_DIR}/site2-access.log combined
SSLEngine On
SSLCertificateFile /home/certifs/site2.crt
SSLCertificateKeyFile /home/certifs/site2.key
SSLCertificateChainFile /home/certifs/site2.pem
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/site2/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/site2/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
FInaly, if I choose to go anyway to the website it is arriving to a sign in gitlab page like:
site2.com/users/sign_in
For information server works with apache2 and debian, and we have gitlab install.
Thank you in advance for your help.
The problem was that in apache2, I was creating well the conf file into the site-available folder. But I was never adding it to site-enabling folder.
Executing the command "a2ensite site2.conf" Fix this problem.
To check if you a enable well your site, I advice you to execute this command: apachectl -S. Please check this subject to because it may change depending your server config: How to debug an apache virtual host configuration?

Apache always loads the same vhost

I have the following vhosts. However the vhosts always seem to resolve to app.home when using https, the only way to make it load cloud.home is by removing app.home from the vhosts. Whichs leads me to believe that it ignores the ServerName setting.
app.home.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName app.home
ProxyPreserveHost On
ProxyRequests off
ProxyPass /api/websocket ws://localhost:8123/api/websocket disablereuse=on keepalive=on
ProxyPassReverse /api/websocket ws://localhost:8123/api/websocket disablereuse=on
ProxyPass / http://localhost:8123/ disablereuse=on keepalive=on
ProxyPassReverse / http://localhost:8123/ disablereuse=on#`
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:8123/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:8123/$1 [P,L]
SSLCertificateFile /etc/letsencrypt/live/app.home/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/app.home/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
cloud.home.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cloud.home
DocumentRoot "/var/www/cloud"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/cloud/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/cloud.home.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/cloud.home.access.log combined
SSLCertificateFile /etc/letsencrypt/live/cloud.home/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.home/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Apache receives an encrypted connection on port 443. It then negotiates the certificate with the client's browser. But at this point, it has not read the requested domain yet. It must negotiate the certificate first to decrypt the payload.
So Apache will always use the first VirtualHost it finds that matches port 443. It gets the certificate from this one.
To fix that, you have to:
setup a second IP for your second domain. So Apache will be configured to say domain1 == IP1, domain2 == IP2.
Use a different port for the second domain, like :444. But this is not convenient since it is not the default.
Use SNI. Do some research on this, too long for an explication here.

SetHandler seems to be ignored

Installing shibboleth on apache 2 on Ubuntu 14.04LTS. Actual shib install seems to go fine, so configure the site .conf file to use shibboleth.
When I access https://lib.msu.edu/secure, it is handled by shibboleth (with an appropriate config exception at this stage), but when I access https://lib.msu.edu/Shibboleth.sso/Metadata (or anything else in Shibboleth.sso) it get redirected to php/drupal and never seen by the shibboleth system and gets a 404 error.
My best guess is that apache is not passing the request to shibboleth, but I am not sure why, nor how to debug the situation. This all worked fine on our test server and we cannot find any configuration differences that explain why.
apache .conf file follows:
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName lib.msu.edu
ServerAlias library.msu.edu
ServerAlias [...]
DocumentRoot [MyValidRoot]
<Directory [MyValidRoot]>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /secure>
AuthType shibboleth
ShibRequireSession On
Require valid-user
</Location>
SSLEngine on
SSLCertificateFile [validcertpath]
SSLCertificateKeyFile [validkeypath]
SSLCertificateChainFile [validIntermediateCertpath]
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite [cipherString]
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Redirect /cgi-bin/ [CGIserver]/cgi-bin/
# Redirect all requests to lib.msu.edu (except wwwm, for testing mirror)
<If "! req('Host') in { 'lib.msu.edu', 'wwwm.lib.msu.edu' }">
Redirect / https://lib.msu.edu/
</If>
RewriteEngine On
# force trailing slash
RewriteCond %{REQUEST_METHOD} !=post [NC]
RewriteRule ^(.*(?:^|/)[^/\.]+)$ $1/ [L,R=301]
# redirect .js and .css 404s to tomcat
RewriteCond %{REQUEST_URI} \.(css|js)$
RewriteCond /var/www/mainweb%{REQUEST_URI} !-f
RewriteRule ^/(.*)$ https://tomcat.lib.msu.edu/$1 [L]
</VirtualHost>
Thank you for any help you can give! We have already spent hours banging our heads on this shibboleth install.

apache serving the wrong ssl certificate

I have the following 2 sections in my httpd.conf file. I have a wildcard cert installed for *.example.biz installed at the given location. As you can see the 4 SSL directives are identical (copy and pasted) in both sections. However, when I go to example.biz I get an ssh error saying the CA certificate expired in 2015. When I go to the subdomain, I get the right certificate chain that says it expires in 2018. I apologize that I am using an example, but this is for a client that must remain confidential.
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/2017.crt
SSLCertificateKeyFile /etc/pki/tls/private/my_biz_2016.key
SSLCertificateChainFile /etc/pki/tls/certs/2017_ca.crt
<Directory /var/www/MyCompany/example.com/public/>
AllowOverride All
</Directory>
ErrorLog /var/www/logs/example.com/error.log
CustomLog /var/www/logs/example.com/access.log combined
DocumentRoot /var/www/MyCompany/example.com/public/
ServerName example.biz
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/2017.crt
SSLCertificateKeyFile /etc/pki/tls/private/my_biz_2016.key
SSLCertificateChainFile /etc/pki/tls/certs/2017_ca.crt
<Directory /var/www/MyCompany/SubDomain/public/>
AllowOverride All
</Directory>
ErrorLog /var/www/logs/SubDomain/error.log
CustomLog /var/www/logs/SubDomain/access.log combined
DocumentRoot /var/www/MyCompany/SubDomain/public/
ServerName subdomain.example.biz
</VirtualHost>
Lastly, this is my .htaccess file if that is helpful:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Also: I pinged both domains, and they both point to the same server and I am not using cloudflare, or anything of the like.
I also restarted apache to make sure.
I define all of my vhosts in a vhosts file, but in my httpd.conf file I apparently set it up with a set of defaults such as:
ServerAdmin root#localhost
ServerNAme example.biz
DocumentRoot /var/www/html # I wasn't using this folder
Once I deleted those erroneous defaults, it started working.